Troubleshooting slow DNS lookup
kalman.feher at melbourneit.com.au
Fri Nov 26 08:38:46 UTC 2010
On 26/11/10 5:58 AM, "Mark Andrews" <marka at isc.org> wrote:
> In message <AANLkTimZMC4PGNe7N72hnB7gnjUaT9r2OKTiGAazv4RP at mail.gmail.com>,
> to Wahyudi writes:
>> Hi Mark,
>> Thanks for the pointers , your are spot on!
>> Doing dig +trace +dnssec www.paypal.com always fail.
>> After some investigation with the network guys, it appear that our upstream
>> firewall are dropping DNS UDP packet larger than 512.
>> Cisco FWSM have this configuration enabled by default :
> So the default is "inspect dns maximum-length 512" if I read that
> page correctly. "inspect dns" or as a minimum "inspect dns
> maximum-length 4096" will allow reply traffic through for named.
> I thought I had heard that Cisco had code which looked for the EDNS
> UDP size option and adjusted the maximum length based on that on a
> per transaction basis and enforced 512 if there wasn't a EDNS option.
Yes, but I think its a recent addition to their code.
The Cisco ASA supports:
message-length maximum client auto
This will use the OPT value as the maximum. I know its supported on version
8.3 of ASA software. It might not be supported by the switch modules of the
More information about the bind-users